[jira] [Commented] (STORM-349) (Security) ui actions should have nimbus like authroization

Tue, 05 Aug 2014 12:44:45 -0700 

    [ 
https://issues.apache.org/jira/browse/STORM-349?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14086648#comment-14086648
 ] 

ASF GitHub Bot commented on STORM-349:
--------------------------------------

Github user revans2 commented on a diff in the pull request:

    https://github.com/apache/incubator-storm/pull/215#discussion_r15836462
  
    --- Diff: storm-core/pom.xml ---
    @@ -197,6 +201,21 @@
                 <scope>test</scope>
             </dependency>
             <dependency>
    +     <groupId>org.apache.hadoop</groupId>
    +     <artifactId>hadoop-auth</artifactId>
    --- End diff --
    
    I'm not sure we want to pull this in directly to storm itself.  Storm 
already has a lot of dependencies and adding more seems to me like it could 
pollute the user classpath.  Looking at 
https://github.com/apache/hadoop-common/blob/trunk/hadoop-common-project/hadoop-auth/pom.xml
 it looks like this is going to add in javax.servlet:servlet-api, 
commons-codec:commons-codec, 
org.apache.directory.server:apacheds-kerberos-codec and 
org.apache.hadoop:hadoop-annotations to the classpath.  Possibly along with 
some oddness with two versions of Jetty.  org.mortbay.jetty:jetty and the 
org.eclipse.jetty:jetty that you added in above too. I am OK with adding in new 
dependencies, but I would like to understand better what really needs to be 
here and what does not.
    
    Ideally it would also be nice to separate out dependencies that are needed 
for worker processes from everything else.  But that is probably a separate 
JIRA.


> (Security) ui actions should have nimbus like authroization
> -----------------------------------------------------------
>
>                 Key: STORM-349
>                 URL: https://issues.apache.org/jira/browse/STORM-349
>             Project: Apache Storm (Incubating)
>          Issue Type: Bug
>            Reporter: Robert Joseph Evans
>            Assignee: Sriharsha Chintalapani
>              Labels: security
>
> The UI provides APIs to kill, rebalance, ... a topology.  For security we 
> originally took the route to optionally disable these, but ideally the UI 
> server would load an IAuthorizer instance like nimbus, and check if the user 
> is allowed to perform that operation before doing it on behalf of the user.
> This should be fairly straight forward but may require some glue code like is 
> being used in the drpc server for its web interface.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to